Vulpixelize - HITCON CTF 2021
Table of Contents
tl;dr
- Use DNS Rebinding attack to read flag from
/flag
endpoint.
#
Challenge Description
Can you break it?
Source Code: Here
#
Analysis
We are given an application that generates a pixelized screenshot of a given webpage.
There is a flag endpoint that returns the flag only if the remote address is 127.0.0.1
.
|
|
It is possible to get the pixelated screenshot of the flag by submitting http://localhost:8000/flag as the URL.
The application uses Selenium to visit the given URL to screenshot it. The screenshot is resized using PIL library.
|
|
Upon examining the source code further, we find that the webpage that selenium has opened will be left unclosed. This means that it is possible to execute JavaScript for until the deployment expires.
#
Exploit
We use DNS rebinding attack to read the flag from localhost. DNS rebinding attack can be used to bypass Same-Origin policies implemented by the browser.
Here, we use a DNS rebinding service, https://lock.cmpxchg8b.com/rebinder.html to switch between two IPs, one being the IP of the exploit server, and the other being 0.0.0.0
. The rebinder has a short TTL and it switches between these two IPs randomly.
The exploit server contains the following code.
|
|
|
|
The exploit works in three steps:
- The URL http://9843a2a4.00000000.rbndr.us:8000 is submitted to the application. The rebinder first resolves to IP address of the exploit server, and the JavaScript is loaded in the selenium browser.
- The JS code continously makes XHR requests to
/flag
, and sends the result to the webhook URL. - At a certain point of time, the rebinder switches the IP to 0.0.0.0. This causes an XHR request to be sent to http://0.0.0.0:8000/flag instead of the exploit server, bypassing SOP. This returns the actual flag to the webhook URL.
#
Flag ✨
|
|
Thanks for reading.
Cheers. 🍻